春季安全重定向基於角色

Question

我有以下彈簧security.xml文件： -

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

    <http auto-config="true"> 
      <intercept-url pattern="/Freelancer/**" access="ROLE_FREELANCE" /> 
      <intercept-url pattern="/Client/**" access="ROLE_CLIENT" /> 
      <intercept-url pattern="/Agency/**" access="ROLE_AGENCY" /> 
      <intercept-url pattern="/Manager/**" access="ROLE_MANAGER" /> 
      <intercept-url pattern="/User/**" access="ROLE_USER" /> 
      <form-login default-target-url="/${role}" login-page="/login.jsp" /> 
      <logout logout-url="/logout" logout-success-url="/" /> 
    </http> 

    <authentication-manager> 
      <authentication-provider> 
      <jdbc-user-service data-source-ref="dataSource" 
       users-by-username-query="select user_name,password, enabled from Users where user_name=?" 
       authorities-by-username-query="select u.user_name, u.role from Users u where u.user_name =?"/>     
      </authentication-provider> 
    </authentication-manager> 

</beans:beans> 

我想要什麼，我想將用戶重定向到他們的工作區，例如，如果客戶端登錄，然後他會被重定向到/Client/index.jsp，如果Agency登錄，他們將被重定向到/Agency/index.jsp。

有沒有什麼方法可以訪問該角色，他將在spring-security.xml文件中被重定向到他們的工作區。

<form-login default-target-url="/${role}" login-page="/login.jsp" /> 

我有目錄結構similer角色。

有什麼想法。

Answer 1

編寫一個彈簧控制器，它將根據用戶角色提供不同的頁面以供顯示。編寫身份驗證成功處理程序類並編寫代碼以決定根據角色重定向的位置。

首先<form-login />標籤需要更改。

<form-login login-page="/landing" authentication-success-handler-ref="authSuccessHandler" /> 

<beans:bean id="authSuccessHandler" class="com.package.AuthSuccessHandler" /> 

刪除default-target-url屬性。讓auth處理程序決定在哪裏重定向用戶。

驗證成功處理程序類將是這樣的：

public class AuthSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler { 
    @Override 
    protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) { 
     // Get the role of logged in user 
     Authentication auth = SecurityContextHolder.getContext().getAuthentication(); 
     String role = auth.getAuthorities().toString(); 

     String targetUrl = ""; 
     if(role.contains("client")) { 
      targetUrl = "/client/index"; 
     } else if(role.contains("agency")) { 
      targetUrl = "/agency/index" 
     } 
     return targetUrl; 
    } 
} 

這是一個示例代碼。根據您的要求更改它。

Answer 2

最好在授權的權限中檢查等號的角色，如果多個角色存在同一部分，包含可能會失敗。在表單登錄配置

添加身份驗證成功處理程序如下圖所示：

<http auto-config="true"> 
    <intercept-url pattern="/Freelancer/**" access="ROLE_FREELANCE" /> 
    <intercept-url pattern="/Client/**" access="ROLE_CLIENT" /> 
    <intercept-url pattern="/Agency/**" access="ROLE_AGENCY" /> 
    <intercept-url pattern="/Manager/**" access="ROLE_MANAGER" /> 
    <intercept-url pattern="/User/**" access="ROLE_USER" /> 
    <form-login login-page='/login.html' 
       authentication-failure-url="/login.html?error=true" 
       authentication-success-handler-ref="myAuthenticationSuccessHandler"/> 
    <logout logout-url="/logout" logout-success-url="/" /> 
</http> 

而且成功處理程序是這樣的：

public class MySimpleUrlAuthenticationSuccessHandler implements AuthenticationSuccessHandler { 

    protected Log logger = LogFactory.getLog(this.getClass()); 

    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); 

    @Override 
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException { 
     handle(request, response, authentication); 
     clearAuthenticationAttributes(request); 
    } 

    protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException { 
     String targetUrl = determineTargetUrl(authentication); 

     if (response.isCommitted()) { 
      logger.debug(
        "Response has already been committed. Unable to redirect to " 
          + targetUrl); 
      return; 
     } 

     redirectStrategy.sendRedirect(request, response, targetUrl); 
    } 

    protected String determineTargetUrl(Authentication authentication) { 
     boolean isUser = false; 
     boolean isFreelance = false; 
     boolean isClient = false; 
     boolean isAgency = false; 
     boolean isManager = false; 
     Collection<? extends GrantedAuthority> authorities 
       = authentication.getAuthorities(); 
     for (GrantedAuthority grantedAuthority : authorities) { 
      if (grantedAuthority.getAuthority().equals("ROLE_FREELANCE")) { 
       isFreelance = true; 
       break; 
      } else if (grantedAuthority.getAuthority().equals("ROLE_CLIENT")) { 
       isClient = true; 
       break; 
      } else if (grantedAuthority.getAuthority().equals("ROLE_AGENCY")) { 
       isAgency = true; 
       break; 
      } else if (grantedAuthority.getAuthority().equals("ROLE_MANAGER")) { 
       isManager = true; 
       break; 
      } else if (grantedAuthority.getAuthority().equals("ROLE_USER")) { 
       isUser = true; 
       break; 
      } 
     } 

     if (isFreelance) { 
      return "freelance/homepage.html"; 
     } else if (isClient) { 
      return "client/homepage.html"; 
     } else if (isAgency) { 
      return "agency/homepage.html"; 
     } else if (isManager) { 
      return "manager/homepage.html"; 
     } else if (isUser) { 
      return "user/homepage.html"; 
     } else { 
      throw new IllegalStateException(); 
     } 
    } 

    protected void clearAuthenticationAttributes(HttpServletRequest request) { 
     HttpSession session = request.getSession(false); 
     if (session == null) { 
      return; 
     } 
     session.removeAttribute(WebAttributes.AUTHENTICATION_EXCEPTION); 
    } 

    public void setRedirectStrategy(RedirectStrategy redirectStrategy) { 
     this.redirectStrategy = redirectStrategy; 
    } 

    protected RedirectStrategy getRedirectStrategy() { 
     return redirectStrategy; 
    } 
} 

Answer 3

您可以通過使用自定義的成功處理程序是這樣使用基於註解的解決方案：

import java.io.IOException; 
import java.util.ArrayList; 
import java.util.Collection; 
import java.util.List; 

import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 

import org.springframework.security.core.Authentication; 
import org.springframework.security.core.GrantedAuthority; 
import org.springframework.security.web.DefaultRedirectStrategy; 
import org.springframework.security.web.RedirectStrategy; 
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; 
import org.springframework.stereotype.Component; 

@Component 
public class CustomSuccessHandler extends SimpleUrlAuthenticationSuccessHandler { 

    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); 

    @Override 
    protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) 
      throws IOException { 
     String targetUrl = determineTargetUrl(authentication); 

     if (response.isCommitted()) { 
      System.out.println("Can't redirect"); 
      return; 
     } 

     redirectStrategy.sendRedirect(request, response, targetUrl); 
    } 

    /* 
    * This method extracts the roles of currently logged-in user and returns 
    * appropriate URL according to his/her role. 
    */ 
    protected String determineTargetUrl(Authentication authentication) { 
     String url = ""; 

     Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities(); 

     List<String> roles = new ArrayList<String>(); 

     for (GrantedAuthority a : authorities) { 
      roles.add(a.getAuthority()); 
     } 

     if (isDba(roles)) { 
      url = "/db"; 
     } else if (isAdmin(roles)) { 
      url = "/admin"; 
     } else if (isUser(roles)) { 
      url = "/home"; 
     } else { 
      url = "/accessDenied"; 
     } 

     return url; 
    } 

    private boolean isUser(List<String> roles) { 
     if (roles.contains("ROLE_USER")) { 
      return true; 
     } 
     return false; 
    } 

    private boolean isAdmin(List<String> roles) { 
     if (roles.contains("ROLE_ADMIN")) { 
      return true; 
     } 
     return false; 
    } 

    private boolean isDba(List<String> roles) { 
     if (roles.contains("ROLE_DBA")) { 
      return true; 
     } 
     return false; 
    } 

    public void setRedirectStrategy(RedirectStrategy redirectStrategy) { 
     this.redirectStrategy = redirectStrategy; 
    } 

    protected RedirectStrategy getRedirectStrategy() { 
     return redirectStrategy; 
    } 

} 

並將安全配置爲：

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; 
import org.springframework.security.config.annotation.web.builders.HttpSecurity; 
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 

@Configuration 
@EnableWebSecurity 
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Autowired 
    CustomSuccessHandler customSuccessHandler; 

    @Autowired 
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { 
     auth.inMemoryAuthentication().withUser("bill").password("abc123").roles("USER"); 
     auth.inMemoryAuthentication().withUser("admin").password("root123").roles("ADMIN"); 
     auth.inMemoryAuthentication().withUser("dba").password("root123").roles("ADMIN","DBA"); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.authorizeRequests() 
     .antMatchers("/", "/home").access("hasRole('USER')") 
     .antMatchers("/admin/**").access("hasRole('ADMIN')") 
     .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") 
     .and().formLogin().loginPage("/login").successHandler(customSuccessHandler) 
     .usernameParameter("ssoId").passwordParameter("password") 
     .and().csrf() 
     .and().exceptionHandling().accessDeniedPage("/Access_Denied"); 
    } 

}